December 2025 monthly summary focusing on key accomplishments for aquasecurity/trivy. Delivered OS detection refinement to distinguish CentOS and CentOS Stream, improving vulnerability scan reliability and OS family identification. Implemented logic to use the NAME field for accurate classification, preventing unnecessary scan failures and aligning results with expectations. Collaborated on a fix that skips vuln detection for CentOS Stream in relevant scenarios (see #9964).

September 2025 delivered two high-impact updates in aquasecurity/trivy-test that materially strengthen our dependency analysis and SBOM coverage. The PNPM lockfile parsing enhancement enhances accuracy by using the snapshot string as the Package.ID and differentiating packages with identical versions but differing peer dependencies, delivering more reliable dependency graphs for pnpm-based Node.js projects. The CoreOS support added to the Trivy SBOM scanner expands OS coverage with CoreOS detection, Package URL generation, and accompanying documentation, while noting that vulnerability scanning for CoreOS packages is not supported in this iteration. These changes improve security posture and compliance readiness for pnpm-based apps and broaden SBOM visibility across additional OSes, laying groundwork for future vulnerability scanning enhancements across CoreOS.

July 2025: Strengthened Python packaging detection in Trivy's analyzer by adding support for the .egg-info/METADATA file, enabling accurate recognition of Python packages packaged as .egg within container images. This fixes gaps in packaging metadata handling and improves scanning reliability for Python-based images.

December 2024 (coder/trivy): Delivered focused documentation updates to reflect JSON Schema v2 and the new reporting format. Updated example commands and outputs to use alpine:latest, ensuring reproducibility with the latest environment. Change traceable to commit e8085bae3e71fc5c9839feb13e34b75deba4ce9d as part of PR #8188. No major bugs fixed this month; the work centered on documentation accuracy, user onboarding, and alignment with current tool capabilities. Business impact includes improved developer understanding, smoother adoption of the new reporting format, and clearer expectations for output formatting.